opstokyo

PaaS & Web Operations

@wallyqs

© 2015. All rights reserved.

Quickly inspecting HTTP traffic with tcpdump

12 Dec 2014

Just a quick post on one of my favorite features of tcpdump that I have found useful for doing quick investigations of the behavior of an app and you need a little bit more than what you get with the access logs.

Wireshark has this great site that given a HTTP request, will give you a filter that if paired with the -A (print packet in ASCII) option from tcpdump will match all related HTTP traffic that is going on in a node.

A couple of basic examples:

tcpdump -A 'tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x4745 && tcp[((tcp[12:1] & 0xf0) >> 2) + 2:1] = 0x54'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:31:54.870479 IP 10.0.1.134.56724 > 10.0.7.64.http-alt: Flags [P.], seq 1988783165:1988783563, ack 2609786817, win 65535, options [nop,nop,TS val 703013338 ecr 40647638], length 398
E...Bt@.@...
...
..@....v.l=../............
).!..l;.GET /v2/apps HTTP/1.1
Host: 10.0.77.64:8080
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Referer: http://10.0.7.64:8080/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

tcpdump -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:41:59.925399 IP 10.0.1.134.56765 > 10.0.7.64.http-alt: Flags [P.], seq 1595944397:1595945056, ack 1073928153, win 65535, options [nop,nop,TS val 703610055 ecr 40792556], length 659
E.....@.@.o.
...
..@...._ -.@..............
).<..nq.POST /v2/apps HTTP/1.1
Host: 10.0.77.64:8080
Connection: keep-alive
Content-Length: 182
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://10.0.7.64:8080
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Content-Type: application/json
Referer: http://10.0.7.64:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

You can add more info to the path (e.g. GET /v2/) to narrow down the actions that are being investigated.

Related Posts